Mark Abene (Phiber Optik) was imprisoned for a year. That was rather
long for the actual charge. Mitnick himself spent
nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry
Childs in San Francisco, who is still in prison.
Calce, Abene & Mitnick now both work in computer security. Is this
appropriate?
One theory is that gaining notoriety for an exploit is the way to get a security job. Is that
appropriate?
If not, what could be done differently?
Modern phishing attacks (also DNS attacks)
Stealing credit-card numbers from stores. (Note: stores are not supposed
to retain these at all.
However, many do.)
Boeing attack, Baase p 262: how much should
Boeing pay to make sure no files were changed?
TJX attack: Baase p 87 and p 271
The breakin was discovered in December 2006, but may have gone back
to 2005.
40 million credit-card numbers were stolen! And 400,000 SSNs, and a
large number of drivers-license numbers.
Hackers apparently cracked the obsolete WEP encryption on wi-fi
networks to get in, using a "cantenna" from outside the building. Once
in, they accessed and downloaded files. There are some reports that
they eavesdropped on data streaming in from stores, but it seems likely
thatdirect downloads of files was also involved.
Six suspects were eventually arrested. I believe they have all now
been convicted; there's more information in the privacyrights.org page
below (which also pegs the cost to TJX at $500-1,000 million).
For a case at CardSystems Solutions,
see
http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html.
Here the leak was
not due to wi-fi problems, but lack of compliance with standards was
apparently involved. Schneier does a good job explaining the
purely contractual security requirements involved, and potential
outcomes. Schneier also points out
The TJX and CardSystems attacks were intentional, not just data gone missing.
When attacks ARE about money, often the direct dollar value is huge. And tracing what happened can be difficult. An entire bank account may be gone. Thousands of dollars may be charged against EVERY stolen credit-card number.
Here's a summary of several incidents: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.
An emerging standard is Payment
Card Industry Data Security Standard (PCI DSS), supported by
MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php
for some particulars; a more official site is https://www.pcisecuritystandards.org.
Note that PCI DSS is not a law, but is "private regulation". Once upon
a time, the most effective regulators of steam-powered ships were
insurance companies [reference?]. This is similar, but MasterCard and
Visa are not quite the same as insurers. From the FAQ above:
It is important to be familiar with your merchant account agreement, which should outline your exposure.
If you are a store, you can refuse to pay the fine. But then you
will lose the ability to accept credit cards. This is extremely bad!
Visa's CISP program is described at http://www.visa.com/cisp.
The PCI standards do allow merchants to store the name and
account-number data. However, this is strongly
discouraged. Sites that
keep this information are required by PCI to have it encrypted.
CardSystems
was keeping this data because they were having a higher-than-expected
rate of problems with transactions, and they were trying to figure out
why.
To some extent, PCI DSS compliance is an example of how ethical
behavior is in your own long-term best interest.
what is it? What can be done?
And WHO IS RESPONSIBLE??
The most common form of identity theft is someone posing as you in
order to borrow money in your name, by obtaining a loan, checking
account, or credit card. When someone poses as you to empty your bank
account, that's generally known as "just plain theft".
Note that most "official" explanations of identity theft describe it
as something that is stolen from you; that is, something bad that has
happened to you. In fact, it is probably more accurate to describe
"identity theft" as a validation error made by banks and other lenders;
that is, as a lender problem.
This is a good example of nontechnical people framing the discourse to make it look
like your identity was stolen from you,
and that you are the victim, rather than the banks for making loans
without appropriate checks. And note that banks make loans without
requiring a personal appearance by the borrower (which would give the
bank a chance to check the drivers-license picture, if nothing else)
because that way they can make more
loans and thus be more profitable.
Is it ok to be "testing their security"?
What if it's a government site?
Should you be allowed to run a security scanner against other sites?
What if the security in question is APPALLINGLY BAD?
What if you have some
relationship to the other host?
Baase, p 270:
"The Defense Information Systems Agency estimated that there were
500,000 hacker attacks on Defense Department networks in 1996, that 65%
of them were successful, and
that the Dept detected fewer than 1%". But 1996 was a long long time
ago.
Do we as citizens have an obligation
to hack into our government's
computers, to help demonstrate how insecure they are?
What about hacking into Loyola's computers? Are we obligated to do that? What about
Loyola's wireless network?
Ok, failing that, what is our obligation to prevent intrusions that are not likely to be directly
harmful to us?
In 2006, Kevin Mitnick's sites were defaced by a group. There's some
irony there.
Other Baase cases:
several attacks against Chinese gov't sites, due to repressive
policies
pro-Zapatista groups defacing Mexican government sites
US DoJ site changed to read "Department of Injustice"
Legal tools against hackers
Once upon a time, authorities debated charging a hacker for the value
of electricity used; they had no other tools. The relative lack of
legal tools for prosecution of computer breakins persisted for some
time.
Computer Fraud & Abuse Act of 1986: made it illegal to access
computers without authorization (or to commit fraud, or to get
passwords)
USAP AT RIOT act:
extends CFAA, and provides that when totting up the cost of the attack,
the victim may include all costs of response and recovery. Even
unnecessary or irresponsible costs.
Trespassing?
"Trespass of Chattels": maybe.
This is a legal doctrine in which one party intentionally interferes
with another's chattels,
essentially personal property (including computers). Often actual harm
need not be proven, just that the other party interfered, and that the
interference was intentional and without authorization.
In 2000 e-bay won a case against Bidder's
Edge where the latter used
search robots to get information on e-bay auctions. The bots used
negligible computation resources. The idea was for Bidder's Edge to
sell information to those participating in eBay auctions. In March
2001, Bidder's Edge settled as it went out of business.
Later court cases have often required proof of actual harm, though.
In 1998 [?], Ken Hamadi used the Intel email system to contact all
employees regarding Intel's allegedly abusive and discriminating
employment policies. Intel sued, and won at the trial and appellate
court levels. The California Supreme Court reversed in 2003, ruling
that use alone was not sufficient for a trespass-of-chattels claim;
there had to be "actual or threatened interference".
How do you prosecute when there is no attempt to damage anything?
Part of the problem here is that trespass-of-chattels was a doctrine
originally applied to intrusions,
and was quickly seized on as a tool against those who were using a
website in ways unanticipated by the creator (eg Bidder's Edge). Is
that illegal? Should the law discourage that? Should website owners be
able to dictate binding terms of use
for publicly viewable pages (ie pages where a login is not required)?
Kutztown 13
Students were issued 600 apple ibooks in 2004
The
admin password was part of school address, taped to the back! The
password was changed, but the new one was cracked too. Some of the
students got admin privileges and:
bypassed browser filtering
installed chat/IM software, maybe others
disabled monitoring software
The students were accused of
monitoring teachers or staff, but that seems unlikely.
The school's security model was hopelessly flawed. Who is responsible for that?
The
school simply did not have the resources to proceed properly.
The offenders were warned repeatedly.
But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge was
for felony computer trespass.
The school argued that the charges were filed because the students
signed an "acceptable use"
policy. But why should that make any difference in whether felony
charges were pursued?
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org:
now gone
Wikipedia:
Kutztown_Area_high_School
Randall Schwarz
http://www.lightlink.com/spacenka/fors
Oregon made it a FELONY to do anything UNAUTHORIZED.
Also, taking
a file without authorization was declared to be THEFT.
Schwartz faced three counts:
These he did as a former sysadmin, now assigned to other duties, but
still concerned about password security. All he did was to run the
"crack" program to guess passwords. This involved copying the public
/etc/passwd file, which at that time contained the encrypted passwords,
and to this day contains the username-to-userid mapping used every time
you run ls -l.
The appeals court argued that although "authorization" wasn't
spelled out
in the law, Schwartz did things without authorization as narrowly
interpreted. The appellate court also upheld the trial court's
interpretation of "theft": taking anything without permission, even if
the thing is essentially useless or if the taking is implicitly
authorized.
The appellate court also seemed to believe that Schwartz might have
been looking for flaws to take credit for them, and that such personal
aggrandizement was inappropriate. But employees all the time look for problems at work
and try to fix them, hoping to receive workplace recognition.
Schwartz and Kutztown 13 cases have in common the idea that sometimes
the law makes rather mundane things into felonies. For Schwartz, it is
very clear that he had no "criminal" intent in the usual sense,
although he did "intend" to do the actions he was charged with.
Terry Childs
Childs was a Cisco-certified Internetwork Expert (CCIE)
working for San Francisco; he was the only one with the router
passwords for the city's fiberWAN network.
He was suspended for insubordination on July 9, 2008,
apparently for refusing to turn over router passwords. There are GOOD
reasons for limiting access to such passwords on a need-to-know basis,
BUT refusing to turn them over might be going pretty far. Especially when this locks the owners of the system out.
However,
there are some mitigating factors, including the fact that there was an
open speakerphone call in progress at the time Childs was asked for the
passwords. We do not know if Childs was given another chance to turn
over the passwords, or told to turn them over privately to his
immediate supervisor, or to create another account. There were allegations at the trial that Childs
knew he was expected to turn over the passwords, after the
confrontation, but did not do so. However, it seems plausible that if
Childs had turned over the passwords at the initial conference, he might have been prosecuted for doing so.
At the trial, Childs claimed he was only asked (by his supervisors and by the police) for his username and password, not
for access to the systems in question (which he could have granted by
creating another account). Other accounts claim that Childs clearly
knew what his supervisors wanted, and refused to give it to him.
Most accounts describe the July 9 meeting as a "confrontation",
ultimately as much due to poor San Francisco management as Childs'
behavior.
Note that the password in question was not a personal password, but
rather an administrative password for a set of Cisco routers. The
routers had been configured so as to be difficult to update without the
password.
He was arrested by SF police on Saturday, July 12, 2008 on four
counts of computer tampering. He was never granted bail, and he
remained in prison through his April 27, 2010 conviction. (As of December 2010, he is still in prison.)
He refused to give the police valid passwords at his arrest
(such refusal without having the opportunity to consult with a lawyer
is protected by the 5th Amendment, although it is not clear whether he continued to refuse).
He did give the passwords to then-mayor Gavin Newsom of SF, on July 21, 2008, while
in prison.
It seems likely that Childs would have had opportunities to
negotiate with his supervisors for the handover of the passwords
between the July 9 confrontation and his arrest, though he was suspended.
At no point did Childs do anything to damage the network, and the network was never
down at any time.
Childs had some past history: he committed a burglary at age 17 and
spent 4 years in prison. This apparently has no bearing on the present
case.
The city's main claim is that Childs was arrested because he placed
the city systems in jeopardy. However:
The biggest concern to computing professionals is that San Francisco
then created a
laundry list of criminal allegations against Childs that in fact are
standard practices:
Childs seems to have been "security-conscious to the point of paranoia".
But most good computer-security people are!
In opposing bail reduction for Childs, the city's attorneys wrote in
July 2008:
The final four charges (pretty close to the original, but none of the
tantalizing allegations of the bail-reduction motion making it in): one
of "disrupting or denying computer services" (by not revealing the
passwords) and three of "providing a means of accessing a computer,
computer system, or computer network" (one for each of the three
modems).
The latter three charges were finally dropped on August 21, 2009, over a year later. Bail remained at $5
million, even though the state's original argument against bail
reduction was based on the three dropped charges and the idea that the
"unauthorized" modems might mean that Childs had other
backdoors into the city network. Also, San Francisco had plenty of time to
tighten up security. It is possible that the three dropped
"unauthorized modem" charges were dropped because of the impossibility
of proving that they were in fact unauthorized, though that is to some
extent exactly the defense's point.
Childs is charged with "disrupting or denying computer services".
However,
Note that in the first "disrupting or denying computer services"
charge, no computer services were actually disrupted. The only thing
denied was the password.
He did configure the
network in a manner that made it difficult for coworkers to
reconfiguring it. Was this about prudence, or job security? He
apparently did not
face day-to-day clear lines of authority; he definitely was not asked
to make the master passwords available to supervisors until the Dispute.
There are no charges (as filed in
February 2009) of network tampering; these appeared in court documents
in
July and August 2008 but were dropped. ("Network tampering" appears to
have been
replaced by the three modem charges.)
The modems were all apparently legitimate: the first was to dial
Childs' pager if there was a problem (through the What's Up Gold monitoring package),
the
second was to allow immediate dialin access to some SF networks
(not apparently the FiberWAN), and in addition was apparently installed
before Childs was hired, and the third was to provide an alternative
communications paths to emergency services across the San Andreas
fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate
purpose, it does not appear to be documented anywhere in any filings to
date.
The questions were, first, did the defendant know he caused a
disruption or a denial of computer service. It was rather easy for us to
answer, "Yes there was a denial of service." And that service was the
ability to administer the routers and switches of the FiberWAN.
Is refusing to turn over a password really a denial of service? It seems more like a denial of potential service.
That
was the first aspect of it, the second aspect was the denial to an
authorized user. And for us that's what we really had to spend the most
time on, defining who an authorized user was. Because that wasn't one of
the definitions given to us.
zero-day exploits
Should they
be tolerated? Encouraged?
Consensus seems to be that zero-day exploits are a bad idea, that
one has some responsibility to let vendors know about an exploit so a
patch can be developed.
Patch Tuesday is now followed by Exploit Wednesday.
Cisco 2005 case involving Michael Lynn: see http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
Hacking
What legal responses are appropriate?
Should we criminalize having hacking tools?
What about magnetic-stripe readers? RFID readers?
Pringles cans (for use as cantennas)?
DVD players that bypass the region code?
What about c compilers?
Note that it is in fact already illegal to possess certain things that
can have illegal uses, such as automotive dent pullers (used to pull
cylinders out of locks) and tools that look like they might be lock
picks.
With all the concern about online theft, why do we trust online
merchants at all? For that matter, why do we trust people we've met on
facebook, etc?
Why we trust online sites:
Overall, it seems that lack of bad past
experience has the most to do with why we trust. (Also, it doesn't
appear to take much experience for many people to feel comfortable with
something.)
What about personal sites? (Not necessarily dating, but those too.) How
do we form online friendships (eg at discussion sites)? What about
forming new friends on facebook? What makes us
think people aren't completely deceiving us? What about in face-to-face settings? Is that any
different????
Some foreign governments have apparently expressed the concern that
Windows must have some sort of
back-door access mechanism accessible to the CIA.
Trusting software:
how do we do this? What responsibility do vendors have?
is there an obligation for software to work on our behalf?
a "fiduciary obligation"?
Trusting your email software; trusting your browser
See http://stopbadware.org
What about DRM? What about Windows?
Most is spyware or viruses or some inappropriate "control" software (eg
Sony's, discussed Week 13)
stopbadware.org definition
1. If the application acts deceptively or irreversibly.
2. If the application engages in potentially objectionable behavior
without:
See also stopbadware.org/home/guidelines
Also see http://stopbadware.org/home/alerts:
RealPlayer had been here (Spr 2008?) (still in stopbadware.org/home/alertsarchive)
KaZaa had been here in (Spr 2008?)
Spyware Striker Pro (Spring 2009)
(ironically, this is NOT "fake" spyware-removal software!)
Trust
With all the concern about online theft, why do we trust online
merchants at all? For that matter, why do we trust people we've met on
facebook, etc?
Technological issues & trust: can we at least trust that we're
talking to the person we think
we're talking to?
Old-style PGP (Pretty Good Privacy) trust:
You need to VERIFY people's public keys (that the key matches the
person). Otherwise you can get a bad key, write to them using it, and
be victim of a man-in-the-middle attack.
(public key crypto: each person has a public key and a private key. If
someone encrypts a message to you with your public key, you can decrypt
it with your private key. Similarly, if you encrypt something with your
private key, anyone can decrypt it with your public key, and in the process verify that it was
encrypted with your private key. That last bit means that the
message can act as your DIGITAL SIGNITURE.)
How can we be able to TRUST our keys?
Alice needs Bob's key.
SSL certificates (TLS certificates)
SSL = secure socket layer, old name
TLS = transport-layer security, new name
Any pair of entities can negotiate a session key:
You're guaranteed a random key provided the other side does not see your bits before choosing theirs. There are protocols to enforce that (eg exchanging encrypted bits and then exchanging special keys to decrypt them)
BUT: how do you know you're not about to give your credit card to a bad
guy with whom you've just created a session key?
What does this have to do with TRUST?
Do you trust the CAs listed in your browser? Huh? Have you even heard of any of them?
Edit => Preferences => Advanced => Encryption => View Certs
Of course, one of the real
reasons we trust online commerce -- that we have relatively few bad
experiences -- is
related to all this encryption in that it makes it much harder for bad
guys to eavesdrop. (The most likely location for bad guys, btw, is
either in your house or on your local cable loop.)
Note this is powerless against phishing attacks
Although the new Extended Valuation SSL Certs might. Might.
Back to why we trust online vendors:
Overall, it seems that lack of bad past experience has the most to do
with why we trust. This seems to be
the case with face-to-face and brick-and-mortar relationships just as
much as with online situations.
What about personal sites? (Not necessarily dating, but those too.) How
do we form online friendships (eg at discussion sites)? What makes us
think people aren't completely deceiving us? What about in face-to-face settings? Is that any
different????
Trusting software part 2:
how do we do this? What responsibility do vendors have?
We've seen that people form trust relationships based on a fairly
limited set of positive experiences (though a limited set of negatives,
as well). Sometimes it seems that software has a lot to live up to, in
that we trust it because we don't see
bad experiences, but it is so easy for software to take advantage of
us.
Email: who is responsible for keeping you safe from spam?
From embedded tags in html that reveal to the sender if you've viewed
the email?
The images issue has been around for almost a decade; many email
vendors (and many freemail providers) have been reluctant to support
image-blocking until ~2006 or later. (There may be legitimate reasons
for that: it may be perceived as a
hard-to-understand option.)
Browsers: browsers do all sorts of identification of themselves
when
they connect. Some of that is important; some is questionable. Most
browsers do not leak "private" information, though they do leak the
browser and OS you are using. Furthermore, this is hard to change!
Try http://www.jms1.net/ie.shtml,
with internet explorer. (Actually, go to jms1.net,
and you get
redirected to the linked site if you're using IE. At one point there
was a page on the site that would simply make IE die.)
IE's entire ActiveX security model is broken; ActiveX is an approach
to security where you trust any signed
software. Java, on the other hand, trusts any source, but runs the
software in a "sandbox" where it (hopefully) can't damage your machine.
Many browser PLUGINS do leak
some degree of private information. When you register a plugin, you
connect some personal information to that plugin. Also, some plugins
contact the mothership at regular intervals.
See http://spywareremove.com/remove-BrowserPlugins
SEVERAL media players (plugin or otherwise) may do some checking of
licenses or with the mothership before allowing play. Perhaps most
players
from media companies behave this way.
What about compatibility lock-in?
To what extent should your OS be required to act on your behalf?
Palladium (aka Next-Generation Secure Computing Base):
locks you out of lots of things.
Trusted side: can't be reached by debuggers or viruses
Problem: machine now is autonomous; vendor has complete control. Do
you trust your vendor?
Software updates, file compatibility,
From Windows Internals by
Russinovich & Salomon:
In the Windows security model, any process running with a token containing the debug privilege (such as an administrator’s account) can request any access right that it desires to any other process running on the machine...
This logical behavior (which helps ensure that administrators will always have full control of the running code on the system) clashes with the system behavior for digital rights management requirements imposed by the media industry on computer operating systems that need to support playback of advanced, high-quality digital content such as BluRay and HD-DVD media. To support reliable and protected playback of such content, Windows uses protected processes. These processes exist alongside normal Windows processes, but they add significant constraints to the access rights that other processes on the system (even when running with administrative privileges) can request.
Will all software vendors eventually request that their applications
be protected? It would sure put a damper on reverse-engineering!
SONY case has the rights of users front and center.
Sony's 2005 "XCP" copy-protection scheme : it installed a private CD
driver
AND a hidden "r00tkit" (so named by Mark Russinovich, then of
sysinternals.com) that conceals itself and hides some registry
keys.
Is this legit?
How does it compare with Palladium (secure-computing platform)?
Users do click on a license
agreement. Were they sufficiently warned? (The software was apparently
installed before the EULA came
up; and in any event clearly the EULA did not explain just what was
going on.)
Note from Mark Russinovich, via wikipedia:
There is now a virus/worm out that takes advantage of the sony kit.
Sony issued an uninstall utility that didn't actually uninstall the
software, but did make it visible. However, users had to supply an
email address, which by Sony's privacy policy was eligible for spamming.
This or a later removal kit allegedly ADDED a bad ActiveX control.
Jurisdiction online
jurisdictional issues: where did the sale take place? This one is very
important for e-commerce. Here are some legal theories that have been applied (eg in the LICRA/Yahoo case):
The following are the traditional three rules for a US court deciding iti has "personal jurisdiction" in a lawsuit:
eHarmony lawsuits, for alleged discrimination against homosexuals
eHarmony is headquartered in California.
New Jersey lawsuit by Eric McKinley, 2005
California lawsuit by Linda Carlson, 2007
How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?
trademarks
libel/defamation
criminal law
laws governing sales: seller can sue in his home state/country
This is more or less universal.
Trademark scope
The Blue Note Cafe was located in NYC
The Blue Note, St Louis
(actually Columbia, MO) was a club, sued for trademark infringement by
Blue Note New York because they had a web site.
The case: Bensusan Restaurant Corp v King, 937 F. Supp. 295
(SDNY 1996)
The case was brought in federal district court, which decided there was
a lack of jurisdiction. Before that, however, note that the Missouri
club began using the name in 1980, and the NYC club did not register
the trademark until 1985. Note that, generally
speaking, in this sort of situation the Missouri club retains
the right to continue to use the name locally,
while non-local use is reserved to the federal trademark-holder.
The district court did look at the "long-arm statute" of the "forum
state", that is, New York. The New York law provides that
The State-court interpretation of this was that the act had to be
committed in New York State,
and the federal court deferred to this interpretation.
Another part of the NY state law did provide for jurisdiction when
the other party was outside the state. However, the law also
The second circuit decided that Blue Note Missouri did not derive revenue from interstate commerce. End of case.
Blue Note St Louis had a mostly passive web site, although they did
advertise tickets online, to performances at the club itself. These
tickets had to be picked up at the
Missouri box office; they were never mailed. Does this matter? Does it matter that
the tickets were technically not sold over the internet, but instead you
had to call a phone number?
This case was decided on jurisdictional
grounds: NY State did not have
jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.
This was a reasonable decision, but notice that it sure doesn't
offer many guarantees that your website won't infringe on a trademark
far far away.
Domain names
zippo v zippo, 1997
See
http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
zippo lighters v zippo.com
trademark infringement filed under PA state law, but filed in federal district court.
PA "long arm" statute
zippo.com was a news service. They had email customers in PA, and two
ISP customers.
(1) the defendant must have sufficient "minimum contacts" with the
forum state,
(2) the claim asserted against the defendant must arise out of those
contacts, and
(3) the exercise of jurisdiction must be reasonable.
Decided JURISDICTIONAL issue, plus others: PA did have jurisdiction
Note the gray area between a completely passive website, just an
"electronic billboard", and “the knowing and repeated transmission of
computer files over the Internet”. Usually the latter means
subscriber-specific information.
What about google.com? Should Illinois courts have jurisdiction?
Internationally, we already looked at LICRA v Yahoo, filed in France (and won by LICRA) for Yahoo's selling of Nazi memorabilia on its auction site in the US. Yahoo had initially agreed to comply with the French order, and then later changed its mind, and filed suit in the US asking that the US court declare that the french court did not have jurisdiction. That case ended in a draw (specifically, in a declaration that the case was not "ripe").
Suppose your bank makes an error. Where do you sue them? What if their
only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank.
SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB
online. Some money disappeared. Soma lost their lawsuit in Utah,
because the court ruled that the fact that SCB had a website accessible
in Utah did not give the State of Utah personal jurisdiction.
[Michael Shamos]
NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions
about whether US patent law extends to other countries.
Butler v Beer Across America
http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
BAA is an Illinois company selling beer over the internet. Butler's
minor son ordered beer, and it was delivered to him despite rules that
required an adult signature. Butler sued BAA under an Alabama law that
makes it illegal to sell alcohol to minors. In this case, Butler lost
her bid to get Alabama jurisdiction, though the case was transferred by
the Alabama court to Illinois.